www.belgium.be Logo of the federal government

WARNING: VEEAM FIXED 18 VULNERABILITIES IN MULTIPLE PRODUCTS, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-216
Version: 
1.0
Affected software: 
Veeam Backup & Replication
Veeam Agent for Linux
Veeam ONE
Veeam Service Provider Console
Veeam Backup for Nutanix AHV
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
Type: 
Different types: RCE, Path traversal, Privilege escalation…
CVE/CVSS: 

CVE-2024-40711: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-40713: CVSS 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-40710: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-39718: CVSS 8.1 (CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

CVE-2024-40714: CVSS 7.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVE-2024-40712: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-40709: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-42024: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-42019: CVSS 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

CVE-2024-42023: CVSS 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-42021: CVSS 7.5 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-42022: CVSS 7.5 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-42020: CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H)

CVE-2024-38650: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-39714: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-39715: CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-38651: CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-40718: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

Veeam - https://www.veeam.com/kb4649

Risks

Veeam fixed 18 vulnerabilities, including 5 critical ones in different products. The 5 most severe vulnerabilities are:

  • CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
  • CVE-2024-42024 (CVSS score: 9.1) - A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine
  • CVE-2024-42019 (CVSS score: 9.0) - A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
  • CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server
  • CVE-2024-39714 (CVSS score: 9.9) - A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server

The most severe vulnerability addressed is CVE-2024-40711, a critical remote code execution (RCE) vulnerability on Veeam Backup & Replication that can be exploited without authentication.

Description

Veeam patched 6 vulnerabilities in Veeam Backup & Replication:

  • CVE-2024-40711: CVSS score 9.8

A vulnerability allowing unauthenticated remote code execution (RCE).

  • CVE-2024-40713: CVSS score 8.8

A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA.

  • CVE-2024-40710: CVSS score 8.8

A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (saved credentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.

  • CVE-2024-39718: CVSS score 8.1

 A vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account.

  • CVE-2024-40714: CVSS score 7.8

A vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations.

  • CVE-2024-40712: CVSS score 7.8

A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE).

Veeam patched one vulnerabilities in Veeam agent for Linux:

  •  CVE-2024-40709: CVSS score 7.8

Veeam patched 6 vulnerabilities in Veeam One:

  • CVE-2024-42024: CVSS 9.1

A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.

  • CVE-2024-42019: CVSS 9.0

A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication.

  • CVE-2024-42023: CVSS 8.8

A vulnerability that allows low-privileged users to execute code with Administrator privileges remotely.

  • CVE-2024-42021: CVSS 7.5

A vulnerability that allows an attacker with valid access tokens to access saved credentials.

  • CVE-2024-42022: CVSS 7.5

A vulnerability that allows an attacker to modify product configuration files.

  • CVE-2024-42020: CVSS 7.3

 A vulnerability in Reporter Widgets that allows HTML injection.

Veeam patched 4 vulnerabilities in Veeam Service Provider Console:

  • CVE-2024-38650: CVSS 9.9

A vulnerability that allows a low privileged attacker to access the NTLM hash of service account on the VSPC server.

  • CVE-2024-39714: CVSS 9.9

 A vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server.

  • CVE-2024-39715: CVSS 8.5

A vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server.

  • CVE-2024-38651: CVSS 8.5

 A vulnerability that permits a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server.

Veeam patched one vulnerability in Veeam Backup for Nutanix AHV

Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization:

  • CVE-2024-40718: CVSS 8.8

A vulnerability that allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

All the issues have been addressed in the below versions:

  • Veeam Backup & Replication 12.2 (build 12.2.0.334)
  • Veeam Agent for Linux 6.2 (build 6.2.0.101)
  • Veeam ONE v12.2 (build 12.2.0.4093)
  • Veeam Service Provider Console v8.1 (build 8.1.0.21377)
  • Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Tenable - https://www.tenable.com/cve/CVE-2024-40711

The Hackers News - https://thehackernews.com/2024/09/veeam-releases-security-updates-to-fix...

Bleepingcomputer - https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-r...